Q&A: What is two-step verification?

Apr. 7, 2013
|

Yahoo / Justin Sullivan, Getty Images

by Rob Pegoraro, Special for USA TODAY

by Rob Pegoraro, Special for USA TODAY

Question: What does two-step verification do that a password can't, and how do I avoid getting tripped up by it?

Answer: This security measure has fallen into fashion lately, thanks to a bout of compromises at such online services as Evernote, Facebook and Twitter.

Those companies and others have responded to those hacking attempts by inviting their users to add a second level of defense. The basic concept is fairly straightforward: to verify that the person logging in isn't an impostor, ask her or him to provide a shared secret besides the password.

And an especially secure kind of secret is one that didn't exist a minute ago and won't be valid a minute from now: a numeric code generated on the spot and sent to a device that only you should have access to - your phone.

That's what Google and Yahoo have offered for a while, Facebook added two years ago, Dropbox rolled out last summer and Apple added a few weeks ago. Evernote and Twitter plan to do likewise. They don't usually require it on every login attempt; you should only see it in unusual circumstances, such as on a new computer or from a new location.

But these companies part company in how they send these codes, and those differences can leave you locked out.

Yahoo and Apple deliver codes in text messages. When I asked readers what they didn't like about two-step verification, most of their complaints involved that weak link: Either they had no phone service, or they were overseas and had to pay steep roaming fees.

Both companies provide backup methods with issues of their own. Yahoo will ask you a prearranged security question - but if you picked one that can be answered with a quick Web search, it's no defense. At Apple, you can enter a 14-digit recovery key - if you remembered to write that down someplace handy.

Your phone doesn't need to be online; as long as it has the correct time, the app and Google will compute the same four-digit code.

I thought this was going to be more work than it was, but since finally turning on two-step verification I've realized I kind of like having industrial-strength cryptography looking out for me. And I'm glad that other services, such as Dropbox, accept Authenticator-generated codes too.

(Because Authenticator's code is "open source," you don't need to wait for Google to ship a version for your phone; other people have written their own. You also don't need to take Google's word that this app is secure, because others can inspect its instructions for weaknesses.)

As a last resort, you can print out 10 extra one-time codes and carry that in your wallet.

But not all Google-linked programs or even all of Google's own apps accept these codes. For them, you need to log into your Google account to generate application-specific passwords. This can be more tedious, especially when I've had to redo this step after a program somehow stopped logging in properly.

You can also revoke any of these passwords with one click. As a reviewer, I like being able to terminate a review program or phone's access that easily.

Likewise, Facebook's iOS and Android apps include a "Code Generator" function that can compute these login codes even when your mobile device is offline.

My big hope is that as more services roll out two-step verification, we'll see some useful competition to make this feature easier and more accessible. You can help by turning it on now.

Tip: One-time passwords can secure you in sketchy situations

In lieu of two-step verification, Microsoft offers what can be the next best thing - as long as you remember to use it. It can generate and send a one-time password to your phone, if you'd added your phone number to your account and then sent a text message asking for that code. Facebook also offers this option, even if you haven't opted into its two-step verification.

(No, I have not gotten text-message spam from either company in the year or two since enabling this option.)

As long as you have phone service, this is a great option for logins from strange computers; an attacker can't get anywhere with the code because it expires once you use it. But while we're in a paranoid, worst-case scenario, remember that this hypothetical adversary could still record your keystrokes once you log in; don't type anything too sensitive on a random machine.